Face ID and Touch ID Logins Coming to Websites With Safari Web Authentication API

[Gsmaniac]

Next step needs to be Face ID Authentication to unlock apps like photos, mail etc.

 

[user1234]

Is it really more secure? What about when a domain is hijacked or dns tables are poisoned from hackers?

Then they don’t have the public key (unless they also hacked the original site and got the database) so it won’t authenticate.
[automerge]1593074960[/automerge]

What if you have a non Apple device in your family of Apple devices?
You can’t very easily login there. I hope Apple will work with IEEE to set a standard for this so everyone can participate.

No need to work with IEEE. This is already a W3C standard that is supported since iOS 13.3: https://www.w3.org/TR/webauthn/
The news is that Apple now enables their FaceID/TouchID hardware to be used to authenticate.
Multiple authenticators can be added to supported sites. So far the only service I use that support WebAuthn passwordless logins is my Microsoft account. It is my understanding that Apples implementation will be using this passwordless standard in which case sites will have to add support.

 

[mazz0]

One: it is phising-resistant, two: if the data was intercepted or the other side has a database leak, the information is worthless since it cannot be used for future logins.

Yeah, I get how it could be more secure, just not how it could be significantly more convenient. The post above mine said, and others have implied, that's it's very convenient. The original article quotes Apple saying it's frictionless and simple. Well so is letting Safari use FaceID to retrieve my password. In fact, given Safari submits the login form automatically, it sounds like from the user's perspective the interaction will be identical: visit a site, get a prompt for FaceID, tap yes, and you're logged in.

 

[konqerror]

Yeah, I get how it could be more secure, just not how it could be significantly more convenient.

Many sites now require two-factor every login. In particular, EU banks and payment services are required by law to do two-factor. Business and school sign-ins are very often two-factor by policy. This is far more convenient, and secure, than fiddling with SMS and code generators every single time, particularly on computers that don't have apps.

 

[mazz0]

Many sites now require two-factor every login. In particular, EU banks and payment services are required by law to do two-factor. Business and school sign-ins are very often two-factor by policy. This is far more convenient, and secure, than fiddling with SMS and code generators every single time, particularly on computers that don't have apps.

So it uses FaceID twice - once to unlock your keychain and access your password, and then again directly as the second form of authentication? Or is the idea that using FaceID alone replaces both password and 2FA code, because FaceID is already arguable 2FA in one (it’s your face, something you are, and your phone, something you possess)?

 

[konqerror]

So it uses FaceID twice - once to unlock your keychain and access your password, and then again directly as the second form of authentication? Or is the idea that using FaceID alone replaces both password and 2FA code, because FaceID is already arguable 2FA in one (it’s your face, something you are, and your phone, something you possess)?

When fully implemented, you do not need to enter a username or password, see my earlier description of Microsoft's sign-in. Your second description is right, it represents the biometrics (or a PIN in some cases) and the fact that you posses hardware that stores the key.

 

[mazz0]

When fully implemented, you do not need to enter a username or password, see my earlier description of Microsoft's sign-in. Your second description is right, it represents the biometrics (or a PIN in some cases) and the fact that you posses hardware that stores the key.

Sweet, that does sound convenient then

 

[0924487]

Did you read the article? It's saying that Apple platforms will act as a built-in FIDO2 authenticator; something that Windows and Android already do today.

Exactly like Microsoft did, they implemented FIDO2 locked to their own site first, and are now expanding it to other sites.

I doubt FaceID style Sign In with Apple will use Windows Hello or Linux whatever. It’s probably gonna be redirected to applied.apple.com and you have to punch in your Apple ID information and you have to get a code on your iPhone and type in.

 

[konqerror]

I doubt FaceID style Sign In with Apple will use Windows Hello or Linux whatever. It’s probably gonna be redirected to applied.apple.com and you have to punch in your Apple ID information and you have to get a code on your iPhone and type in.

Read the Safari 14 Beta release notes. It says exactly what I said.

Authentication and Passwords
New Features

• Added a Web Authentication platform authenticator using Face ID or Touch ID, depending on which capability is present.

 

[0924487]

Read the Safari 14 Beta release notes. It says exactly what I said.

Does that work on Windows for Sign In with Apple?

 

[konqerror]

Does that work on Windows for Sign In with Apple?

No. As I said, they're doing exactly what Microsoft did. From around 2017-2018, Microsoft auto sign-in (Outlook.com, OneDrive, etc) would only work on Windows, on Edge, with a logged in Microsoft account, even though it was FIDO2 underneath.

Microsoft got Windows FIDO2 certification in early 2019, and then allowed Microsoft accounts to be associated with third party FIDO2 keys. They also allowed Windows to act as a FIDO2 authenticator for third party sites.

Apple is currently where Microsoft was 3 years ago. You can sign in to Apple accounts automatically only with Safari and a system-associated Apple account. Google is where Apple is running the beta, accounts only work with their own implementation, but the system acts as an authenticator to third-party sites: https://security.googleblog.com/2019/08/making-authentication-even-easier-with_12.html